Jump to content

How to tell someone that their site is vulnerable to sql injection


Recommended Posts

Posted (edited)

Run for the hills! All is lost! Abandon all hope!

I would make a small example program on my own PC/Laptop, and demonstrate what SQL injection is, and what it can do. Just don't do anything to the database (the company's) in question, because you can break things. Also, might want to only tell management, because you don't want anyone else to know how to hack the company.

What are you afraid of getting in trouble for specifically? If you have access to the company's code, then you can clearly see for yourself that the site is vulnerable to SQL injection. If you do not have access to the code, how did you discover the flaw? If it was a faulty input situation you can explain that. If you did discover the flaw by actively penetration testing the company without authorization, you might want somebody else to discover this flaw.

Edited by overwraith
Posted

Is the flaw specific to the site or some software general? If the flaw is in all versions of a specific web app or software, you notify the vendor of the web app or specific software(if one wasn't already published for the same version this site is running), as well as people like Sans, CERT, with proof of concept and if that doesn't get it fixed or the vendor ignores the flaw, you go public with it to places like OSVDB, EDB and Packet Storm as well as the Full Disclosure mailing list - http://seclists.org/fulldisclosure/ but you LEAVE OUT the site in question you found the flaw on. If after that, the flaw remains, you can try contacting the companies' abuse, noc, or security department if email addresses are listed, which you may or may not be able to find via their site or even WhoIs info for contacts. Tread lightly.

Posted

There are also ways to anonymously inform the company in question about their problem. I like to use anonymous email applications, but that's just me. Can't speak to the anonymous email apps security.

Posted (edited)

i fired up tor and drop a comment in the contact us page.

Thanks guys.

Edited by mreidiv
Posted

Include some links about what it is, why its a problem, and how to get it fixed. Also be sure to include steps for them to re-produce what you have done

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...